ATT&CK for Emotet · 2021. 2. 11. · Emotet loader with uptick targeting state and local...
Transcript of ATT&CK for Emotet · 2021. 2. 11. · Emotet loader with uptick targeting state and local...
ATT&CK for Emotet01/28/2021
TLP: WHITE, ID# 202101281030
Agenda
TLP: WHITE 2
• What Is ATT&CK?
• Why Use ATT&CK?
• How To Start With ATT&CK
• Emotet Malware Profile
• Recent Emotet Updates
• Emotet Threat to HPH
• ATT&CK Techniques for Emotet
• ATT&CK Mitigations for Emotet
• References
Non-Technical: Managerial, strategic and high-level (general audience)
Technical: Tactical / IOCs; requiring in-depth knowledge (sysadmins, IRT)
Slides Key:
3
• ATT&CK framework developed by the MITRE Corporation in 2013 and released to the public in May 2015
• Stands for “Adversarial Tactics, Techniques, and Common Knowledge”
• Comprehensive matrix of tactics and techniques associated with malware families and threat groups
• Leveraged by cybersecurity professionals to better classify attacks and assess an organization’s risk
• Platforms: Windows, macOS, Linux, Cloud, Network• Three different matrices:
o Enterprise ATT&CKo Pre-ATT&CKo Mobile ATT&CK
• 14 tactics correspond to attack stages• 177 techniques and 348 sub-techniques• 42 enterprise mitigations• 512 software / malware• 109 groups• And growing!
What Is ATT&CK?
TLP: WHITE
Enterprise Tactics
1. Reconnaissance2. Resource
Development3. Initial Access 4. Execution 5. Persistence 6. Privilege Escalation 7. Defense Evasion 8. Credential Access 9. Discovery 10. Lateral Movement 11. Collection 12. Command and Control 13. Exfiltration 14. Impact
4
• David Bianco’s Pyramid of Pain (2013)
• TTPs are tough for adversaries to change!
• ATT&CK provides a framework for analyzing and defending against attacker TTPs
• Improve threat intelligence and detection capabilities
• ATT&CK helps teams communicate in common language
• ATT&CK can be leveraged by teams of all sizes and maturity levels
• Identify security gaps and rate detection coverage
• Compare TTPs across threat groups to identify overlaps
• Improve post-compromise detection of adversaries
Why Use ATT&CK?
TLP: WHITE
Source: David Bianco
5
• Start small!
• Choose one threat group or software that targets your industry
• Choose one ATT&CK technique each week to discuss across teams on how your organization can detect, defend, and emulate this attacker behavior
• Collect one log source that will improve ATT&CK visibility
• What are the countermeasures or mitigations for each ATT&CK technique?
How To Start With ATT&CK
TLP: WHITE
Source: iamWire
For more:Getting Started with ATT&CK by The MITRE CorporationUsing ATT&CK for Cyber Threat Intelligence Training by MITREGetting Started with ATT&CK: Threat Intelligence by Katie Nickels
6
• Malware Name: Emotet (aka Geodo)
• Malware Description: Emotet is a modular Trojan initially associated with banking fraud which, since 2017, has been limited to spam and secondary payload distribution. There are hundreds of variants of Emotet and the malware continues to update with new capabilities and evasion techniques.
• Malware Type: Trojan
• Associated Threat Group(s): TA542, MummySpider, Mealybug; Wizard Spider, UNC1878, Temp.MixMaster, Grim Spider
• First Discovered: 2014
• Last Active: December 2020
• Primary Distribution: phishing e-mails
• Malware Capabilities: self-propagation, brute-forcing passwords, credential theft, defense evasion, lateral movement, persistence
• Secondary Payloads: Qakbot, Dridex, IcedID, Trickbot, Ryuk, Conti, ProLock, Zloader, and more.
• Targeted Industries: Pharmaceutical, Healthcare, Biotechnology, Government, Technology, Transportation, and more.
Malware Profile: Emotet
TLP: WHITE
Source: ZDNet
7
Recent Emotet Updates
TLP: WHITE
Feb 2020: Non-US countries
targeted with COVID-19-
themed phishing
emails to lure victims to download Emotet
July 2020: US
businesses targeted with
COVID-9-themed phishing
emails with previously
used EmotetURLs
Aug 2020: 1,000 percent
increase in downloads of Emotet loader
with uptick targeting state
and local governments
in US
Sep-Oct 2020: Emotet surge
impacting Canada, France,
Japan, New Zealand, Italy,
and Netherlands.
Dec 2020:Emotet returns with 100k daily
emails and new evasion
tactics
Jan 27, 2021: Europol
announces international
law enforcement takedown of the EMOTET
botnet
Emotet Takedown – January 2021
TLP: WHITE 8
Source: EUROPOL
• Authorities from Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine, with international activity coordinated by Europol
• Emotet infrastructure involved several hundreds of servers located across the world
• The infected machines of victims have been redirected to law enforcement-controlled infrastructure
• Dutch police have launched a website that lets users see if their emails were present in Emotet'sinternal spam database
• Ukrainian police announced the arrest of two suspects who were allegedly tasked with keeping Emotet infrastructure up and running
• Possible that actors who remain at large could rebuild the botnet in the future
• Emotet will be uninstalled globally on March 25
Emotet Threat to HPH
• April 2019: “Emotet Trojan Is the Most Prevalent Threat in Healthcare Systems” according to Malwarebyteso 80% of malware affecting computer systems
in the healthcare industry are Trojans, with the most common one being Emotet
o 37% of Trojans affecting healthcare were a result of Emotet infections in 2019
• January 2021: “Cyber-attacks on global healthcare organizations (HCOs) increased at more than double the rate of those targeting other sectors over the past two months,” according to Check Point.o 45% increase in attacks on the healthcare
sector, versus less than half this figure (22%) for all other industry verticals.
o Ryuk and Sodinokibi (REvil) were highlighted as the main culprits and it is widely known that Emotet is often leveraged in Ryuk ransomware attacks
TLP: WHITE 9
Source: BleepingComputer
Case Study: Applying the ATT&CK Framework
TLP: WHITE 10
• Emotet hit a European country’s national public health center in December 2020. The following details were pulled from media reports:
1. Phishing emails socially engineered targets to open Zipped archive with password included in message
2. Malware was encrypted and password-protected3. Evaded anti-malware solutions by using
password-protected archives as attachments4. Emotet loader contained benign code from a
Microsoft DLL to evade antivirus solutions5. Thread hijacking to distribute malicious code
using password-protected archives as attachments
6. Compromised systems at the health center were leveraged to send malicious emails to other government entities in the same country as well as researchers
7. E-mail systems shut down temporarily to stop further spread of Trojan
8. Impacted internal networks9. Likely attempted to distribute Trickbot
ATT&CK Interpretation1. T1566.001 - Spearphishing
Attachment
2. T1204.002 - User Execution: Malicious File
3. T1027 - Obfuscated Files or Information
4. T1036 - Masquerading
5. T1586.002 - Compromise Accounts: Email Accounts
6. T1586.002 - Compromise Accounts: Email Accounts
7. T1499 - Endpoint Denial of Service
8. T1498 - Network Denial of Service
11
ATT&CK Techniques for Emotet (Graphic)
TLP: WHITE
Initial Access
SpearphishingAttachment
SpearphishingLink Valid Accounts
Execution PowerShell Visual Basic Windows Command Shell Scheduled Task Malicious Link
Windows Management
InstrumentationUser Execution
Persistence Windows Service
Registry Run Keys / Startup
Folder
Privilege Escalation
Dynamic-link Library (DLL)
Injection
Defense Evasion
Software Packing
Obfuscated Files or Information
Credential Access
Credentials from Web Browsers Network Sniffing LSASS Memory Password
GuessingCredentials In
Files
DiscoveryAccount
Discovery: Email Account
Process Discovery
Lateral Movement
Exploitation of Remote Services
SMB/Windows Admin Shares
Collection Local Email Collection
Archive Collected Data
Command and Control
Non-Standard Port
Encrypted Channel:
Asymmetric Cryptography
Exfiltration Exfiltration Over C2 Channel
ImpactSource: Mitre
12
ATT&CK Techniques for Emotet (Table)
TLP: WHITE
ATT&CK ID Tactic TechniqueT1566.002 Initial Access Phishing: Spearphishing LinkT1566.001 Initial Access Phishing: Spearphishing AttachmentT1078.003 Initial Access Valid Accounts: Local AccountsT1059.001 Execution Command and Scripting Interpreter: PowerShellT1059.005 Execution Command and Scripting Interpreter: Visual BasicT1059.003 Execution Command and Scripting Interpreter: Windows Command ShellT1053.005 Execution Scheduled Task/Job: Scheduled TaskT1204.001 Execution User Execution: Malicious LinkT1204.002 Execution User Execution: Malicious FileT1047 Execution Windows Management InstrumentationT1547.001 Persistence Boot or Logon Autostart Execution: Registry Run Keys / Startup FolderT1543.003 Persistence Create or Modify System Process: Windows Service
T1055.001Privilege Escalation Process Injection: Dynamic-link Library Injection
Source: Mitre
13
ATT&CK Techniques for Emotet (Table) (continued)
TLP: WHITE
ATT&CK ID Tactic TechniqueT1027 Defense Evasion Obfuscated Files or InformationT1027.002 Defense Evasion Software PackingT1110.001 Credential Access Brute Force: Password GuessingT1555.003 Credential Access Credentials from Password Stores: Credentials from Web BrowsersT1040 Credential Access Network SniffingT1003.001 Credential Access OS Credential Dumping: LSASS MemoryT1552.001 Credential Access Unsecured Credentials: Credentials In FilesT1087.003 Discovery Account Discovery: Email AccountT1057 Discovery Process DiscoveryT1210 Lateral Movement Exploitation of Remote ServicesT1021.002 Lateral Movement Remote Services: SMB/Windows Admin SharesT1560 Collection Archive Collected DataT1114.001 Collection Email Collection: Local Email Collection
T1573.002Command and Control Encrypted Channel: Asymmetric Cryptography
T1571Command and Control Non-Standard Port
T1041 Exfiltration Exfiltration Over C2 ChannelSource: Mitre
14
ATT&CK Mitigations for Emotet (Graphic)
TLP: WHITE
Initial Access
User Training: Phishing
Antivirus/Antimalware
Network Intrusion
PreventionRestrict Web-Based Content
Password Policies
Privileged Account
Management
ExecutionDisable or Remove
Feature or Program
User Training: Phishing
Privileged Account
ManagementUser Account Management Code Signing Antivirus/Antima
lwareExecution Prevention Audit
Operating System
ConfigurationRestrict Web-Based Content
Persistence Monitor RegistryMonitor
Windows Services
Audit User Account Management
Privilege Escalation
Behavior Prevention on
Endpoint
Defense Evasion
Antivirus/Antimalware
Credential Access
Multi-Factor Authentication
Encrypt Sensitive
InformationUser Training Audit Account Use
PoliciesPassword Policies
Credential Access
Protection
Privileged Account
Management
Privileged Process Integrity
Restrict File and Directory
Permissions
Operating System
Configuration
Discovery
Lateral Movement
Application Isolation and Sandboxing
Disable or Remove
Feature or Program
Exploit Protection
Network Segmentation
Privileged Account
Management
Threat Intelligence
ProgramUpdate
SoftwareVulnerability
ScanningFilter Network
TrafficLimit Access to Resource Over
NetworkPassword Policies
Collection AuditEncrypt
Sensitive Information
Command and Control
Network Intrusion
PreventionSSL/TLS Inspection
Network Segmentation
ExfiltrationNetwork Intrusion
Prevention
ImpactSource: Mitre
15
ATT&CK Mitigations for Emotet
TLP: WHITE
Mitigation ID Mitigation NameM1049 Antivirus/AntimalwareM1031 Network Intrusion PreventionM1021 Restrict Web-Based ContentM1017 User TrainingM1027 Password PoliciesM1026 Privileged Account ManagementM1045 Code SigningM1042 Disable or Remove Feature or ProgramM1038 Execution PreventionM1047 AuditM1028 Operating System ConfigurationM1018 User Account ManagementM1040 Behavior Prevention on EndpointM1036 Account Use Policies
Source: Mitre
16
ATT&CK Mitigations for Emotet (cont.)
TLP: WHITE
Mitigation ID Mitigation NameM1032 Multi-factor AuthenticationM1041 Encrypt Sensitive InformationM1043 Credential Access ProtectionM1025 Privileged Process IntegrityM1022 Restrict File and Directory PermissionsM1048 Application Isolation and SandboxingM1050 Exploit ProtectionM1030 Network SegmentationM1019 Threat Intelligence ProgramM1051 Update SoftwareM1016 Vulnerability ScanningM1037 Filter Network TrafficM1035 Limit Access to Resource Over NetworkM1020 SSL/TLS Inspection
Source: Mitre
Takeaways
• ATT&CK knowledge base and training is FREE!
• TTPs are TOUGH for adversaries to change which makes ATT&CK valuable from a security standpoint
• It is EASY to get started implementing ATT&CK!
• While Emotet was taken down this week, it remains to be seen if this will have a long standing impact
TLP: WHITE 17
Source: BleepingComputer
Reference Materials
19
• Bianco, David J. 2014. The Pyramid of Pain. January 17. https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html.
• CISA. 2020. Alert (AA20-280A) - Emotet Malware. October 24. https://us-cert.cisa.gov/ncas/alerts/aa20-280a.
• Davis, Jessica. 2020. Emotet Malware Returns with 100K Daily Emails, New Evasion Tactics. December 31. https://healthitsecurity.com/news/emotet-malware-returns-with-100k-daily-emails-new-evasion-tactics.
• —. 2020. Emotet Malware Threat Actors Return with Massive Email Campaign. July 22. https://healthitsecurity.com/news/emotet-malware-actors-return-with-malicious-email-campaign.
• F, Axel. 2019. Threat Actor Profile: TA542, From Banker to Malware Distribution Service. May 15. https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta542-banker-malware-distribution-service.
• Gatlan, Sergiu. 2020. Emotet malware hits Lithuania's National Public Health Center. December 30. https://www.bleepingcomputer.com/news/security/emotet-malware-hits-lithuanias-national-public-health-center/.
• Gutman, Yotam. 2020. Revisiting the Pyramid of Pain | Leveraging EDR Data to Improve Cyber Threat Intelligence. September 21. https://www.sentinelone.com/blog/revisiting-the-pyramid-of-pain-leveraging-edr-data-to-improve-cyber-threat-intelligence/.
• Lemos, Robert. 2020. Emotet Campaign Restarts After Seven-Week Hiatus. December 22. https://www.darkreading.com/threat-intelligence/emotet-campaign-restarts-after-seven-week-hiatus/d/d-id/1339792.
• Malwarebytes. n.d. Emotet. https://www.malwarebytes.com/emotet/.
References
TLP: WHITE
20
• Nair, Prajeet. 2020. Emotet Botnet Returns After 2-Month Hiatus. December 23. https://www.bankinfosecurity.com/emotet-botnet-returns-after-2-month-hiatus-a-15656.
• Nickels, Katie. 2019. Getting Started with ATT&CK: Threat Intelligence. June 10. https://medium.com/mitre-attack/getting-started-with-attack-cti-4eb205be4b2f.
• Oren, Shimon, and Dave Bitner. 2021. Emotet reemerges and becomes one of most prolific threat groups out there. Ep 165 | 1.9.21. January 9. https://thecyberwire.com/podcasts/research-saturday/165/notes.
• The MITRE Corporation. 2019. Mitre ATT&CK, Software, Emotet. March 25. https://attack.mitre.org/software/S0367/.
• Toulas, Bill. 2020. Emotet Returns for Christmas With a New Bag of Tricks. December 2020. https://www.technadu.com/emotet-returns-christmas-new-bag-tricks/234489/.
• Trend Micro. 2020. Emotet Uses Coronavirus Scare in Latest Campaign, Targets Japan. January 31. https://www.trendmicro.com/vinfo/mx/security/news/cybercrime-and-digital-threats/emotet-uses-coronavirus-scare-in-latest-campaign-targets-japan.
• Wunder, John. 2019. Getting Started with ATT&CK: Detection and Analytics. June 18. https://medium.com/mitre-attack/getting-started-with-attack-detection-a8e49e4960d0.
• Yizhak, Ron Ben. 2020. Emotet Analysis: Why Emotet’s Latest Wave is Harder to Catch than Ever Before. August 12. https://www.deepinstinct.com/2020/08/12/why-emotets-latest-wave-is-harder-to-catch-than-ever-before/.
• —. 2020. Why Emotet’s Latest Wave is Harder to Catch Than Ever Before – Part 2. October 12. https://www.deepinstinct.com/2020/10/12/why-emotets-latest-wave-is-harder-to-catch-than-ever-before-part-2/.
References
TLP: WHITE
? Questions
22
Questions
Upcoming Briefs
• Threats in Healthcare Cloud Computing (2/4)
• Malicious SendGrid Campaigns (2/11)
TLP: WHITE
Requests for Information
Need information on a specific cybersecurity topic? Send your request for information (RFI) to [email protected], or call us Monday-Friday between 9am-5pm (EST), at (202) 691-2110.
Product Evaluations
Recipients of this and other Healthcare Sector Cybersecurity Coordination Center (HC3) Threat Intelligence products are highly encouraged to provide feedback. If you wish to provide feedback please complete the HC3 Customer Feedback Survey.
Disclaimer
These recommendations are advisory and are not to be considered as Federal directives or standards. Representatives should review and apply the guidance based on their own requirements and discretion. HHS does not endorse any specific person, entity, product, service, or enterprise.
23
About Us
HC3 works with private and public sector partners to improve cybersecurity throughout the Healthcare and Public Health (HPH) Sector
Sector & Victim Notifications White PapersDirect communications to victims or potential victims of compromises, vulnerable equipment or PII/PHI theft, as well as general notifications to the HPH about current impacting threats via the HHS OIG.
Document that provides in-depth information on a cybersecurity topic to increase comprehensive situational awareness and provide risk recommendations to a wide audience.
Threat Briefings & WebinarBriefing presentations that provide actionable information on health sector cybersecurity threats and mitigations. Analysts present current cybersecurity topics, engage in discussions with participants on current threats, and highlight best practices and mitigation tactics.
Need information on a specific cybersecurity topic, or want to join our Listserv? Send your request for information (RFI) to [email protected],or call us Monday-Friday between 9am-5pm (EST), at (202) 691-2110.
Visit us at: www.HHS.Gov/HC3
Products
TLP: WHITE
Contact
www.HHS.GOV/HC3 (202) 691-2110 [email protected]